I just wanted some advice when pen testing a windows boxes is it better to use a windows platform ? or is Linux still the best platform to use regardless of the box ? If so what would you say are must have tools for windows ?

I prefer a Linux box just because there are so many tools at your disposal and for example, backtrack has them all organized and setup for you. There are certain tools however that only run under windows like Cain & Able so you should probably have both OS's ready to go just in case...

I agree with cd1zz. With virtualization you can easily have both OSes to use. The last company I was at, we had a pen test being down by an outside firm and the tester was using a Mac, running Windows and Linux. Using Windows to dump hashes from other Windows systems etc... Just like testing malware, you need a Windows system as a victim machine as well as a linux system for further analysis.

Agreed but my question is more as in what tools are there for windows ? its it worth having JTR install both windows and linux box ? same with all other common tools like nessus,metasploit and so on....

Metasploit, nessus, nmap and a number of other tools can be run on both operating systems but you're really not gaining any advantages by having both. For example JTR is going to crack a password hash the same way it would on Linux, and you'll get the same result. See my point?

Just run whatever OS you're more comfortable with. If that is Windows, you might encounter tools that are only developed for Linux which is why I'd probably recommend you just try to do everything on Linux. Seems easier that way to me!

In the OffSec pwb/oscp they only time you really use Windows is while creating an exploit for a Windows machine.

I use Linux based machines as my primary OS and only have Windows virtual machines for "target practice" and developing exploits.

In terms of tools, jtr does work on Windows, however from a performance stand point you'd be much better of running it on Linux, maybe you should do a comparison on 2 vm's with the same spec, one running windows and one running Ubuntu or something like that.

As cd1zz, what it takes to get the job done. As an example, I prefer to use linux for my pen testing (SamuraiWTF), however, I'm currently in an engagement where the web app utilizes AcitveX (hurl). So, I'm forced to use a windows based toolset since I'm forced to use IE to be able to fully access all content.

I say it's best to be prepared for any environment. As mentioned, VM's are a great way to go.

I agree, your main host should be whatever your preference is, and then virtual machines for everything else. Or you could dual boot, it doesn't really matter, but that would prevent you from being able to run tools from multiple operating systems at the same time.

Also, if you're doing frugal installs of pen-testing suites (like BackTrack or Samurai), I would recommend only running them in Virtual Machines, as these can usually be rooted more easily.

I recommend Linux as a main penetration testing toolbox, and then Windows for tools that only runs on Windows, or for that sake runs the most fast. (Nessus, NeXpose, Immunity Canvas, Core Impact, and so forth. All the automated tools that you can use to assist you in your pentests.)

Using automated tools alone, does not make anyone a real pentester in my humble opinion

Anyway, often I might have to install a tool, craft a packet, use a raw socket, etc. Linux can easily do this and it's often also faster to do all of these as well.

Install a tool: apt-get install toolname (if it's in the repositories of course)Craft a packet: Just use ScaPy, it's quite effective compared to you can pretty much create any kind of packet and still have a nice overview.Use a raw socket: No need to install custom libraries like Winpcap.

For tools, you can pretty much just download BackTrack from www.backtrack-linux.org and you'll have 90-99% of all the tools you will ever need. (Besides those you might have to write yourself.)

MaXe wrote:Using automated tools alone, does not make anyone a real pentester in my humble opinion

For tools, you can pretty much just download BackTrack from www.backtrack-linux.org and you'll have 90-99% of all the tools you will ever need. (Besides those you might have to write yourself.)

That in itself (BT) is nothing more than a tool. Although from time to time I plop open a BT machine, I almost ALWAYS perform testing on anything I can get my hands on. FreeBSD, Solaris, NetBSD, OpenBSD, DragonFly, other versions of Linux. I don't really care for any particular OS as it is only a tool.

In doing so, you get used to whatever is available on the operating system without having to rely on ANY tool including Scapy for packet play. Imagine you getting into a Solaris ONLY network without Python what would you do without Scapy? Install Python to get scapy running? I wouldn't, I would try hping, harpoon or tcpreplay which have less dependencies, and HIDS isn't going to see the glaring python install. On BSD I might use bittwist or hexinject, all depends on what I'm doing.

Personally, I would fiddle with ALL operating systems to become as versatile as possible and try mimicking available security tools with normal system available tools. E.g. if using say FreeBSD, you'd want to focus on ports in the net tree (http://www.freebsd.org/ports/categories-grouped.html) and familiarize yourself with them. You'd be surprised to find you can perform the same functions as ANY SECURITY TOOL with standard systems tools. You have to know what's available and what's not.

So while some may tout the "this OS" or "this tool" I say, focus on the system rather than the tool. BT is also nothing more than a tool. If you become too comfortable with it and the tools on it, you're not doing yourself any justice and you are no more a pentester than anyone else firing off tools.

MaXe, this isn't aimed at you at all. Just stating the obvious, there isn't any "one size fits all." I would love to see how many pentesters would be able to make do with just the system tools. NOT being able to download, install run whatever favorites they have. When one can do this with most systems, then one should pat themselves on the back period.

I've said it before: imagine being contracted to pentest a "contained" environment without being able to use whatever tools or operating system of your choice. What could you do? What could you do for recon on say a Windows XP machine with no nmap, wireshark, etc.? How would you enumerate the network? Same goes for Linux, BSD, etc., especially BT. When you feel confident on any system without tools, you can best believe the tool of choice would be whatever is available to you. NOT what you favorite.

sil wrote:MaXe, this isn't aimed at you at all. Just stating the obvious, there isn't any "one size fits all." I would love to see how many pentesters would be able to make do with just the system tools. NOT being able to download, install run whatever favorites they have. When one can do this with most systems, then one should pat themselves on the back period.

I've said it before: imagine being contracted to pentest a "contained" environment without being able to use whatever tools or operating system of your choice. What could you do? What could you do for recon on say a Windows XP machine with no nmap, wireshark, etc.? How would you enumerate the network? Same goes for Linux, BSD, etc., especially BT. When you feel confident on any system without tools, you can best believe the tool of choice would be whatever is available to you. NOT what you favorite.

It's cool, actually I am just stating what beginners should learn about first Being comfortable in any or almost any environment takes time. For example, with web application security often all I require is a browser that is able to view the source code of a website. I can do with telnet or netcat too, or a scripting language, but it will slow me down.

Often I just get FireFox and find a random cookie editor when I'm tired of manually editing the cookies, and of course a transparent proxy or an addon performing the same function. Web application security is of course only a small part of penetration testing, but if I had to I could probably even cope with using lynx or links only too xD

Recently I was testing a custom environment where I couldn't install any tools, and the only scripting language installed locally on the machine was perl, so I had to just go with that even though I never really used perl but thankfully most of the stuff I had to do wasn't that hard. (gcc, cc, g++, python, and all those other tools were not installed and was not possible to be installed either, so I just looked for scripting languages installed instead in that case hehe)

I get your point of course, and I admire that you're able to be comfortable in so many environments as not even I am that. Of course I can always do my best, and use Google to the best extent possible, but in my case I'm mostly familiar with using Linux (a few different variants) and Windows.

Scapy was also just an example, as I know you could probably do with hping too It was nice reading your feedback though

Awesome point Sil. hmm, I actually got to feel the bite of not having any tools available. I recently started a new job (2 months now) in a very large enterprise. The last place I was at was small, only a few hundred users and 100 servers 50% VM. I had the keys to the kingdom there being the Security Admin as well as having a good amount of knowledge on the other areas in our support group. Now I am in something that dwarfs my last job. 14K users, almost 1000 servers and many restrictions placed on the workstations. So no keys, limited access to some log data and it took 2 months to get local admin so I can start installing some tools like nmap. So for the 2 months I had to make due with what I had to investigate systems. nslookup, ping, tracert, netstat etc...